Yahoo! Reports That It Has Been Hacked (and Dropbox as well)

[Moderator_02]

Two days ago Yahoo! announced that its information systems had been hacked in late 2014. This breech of customer information affects 500 million (no, that is not a typo) of its users. This incident is being reported as the largest [known] hacking event in the history of the digital world. For CL members who are users of Yahoo! services, you may want to consider some damage control, such as password changes, etc.

An interesting twist in this story is that Yahoo! is in the process of being purchased by Verizon in a 4.83 billion USD transaction. This hacking incident reportedly could scuttle that change of ownership.

For more information, here are just two of the many links to this announcement:

http://www.businessinsider.com/yahoo-hack-by-state-sponsored-actor-biggest-of-all-time-2016-9

http://www.nbcnews.com/tech/tech-news/your-yahoo-account-was-probably-hacked-company-set-confirm-massive-n652586

Edited September 29, 2016 by Admin_01
expanded the title for a bit more specificity

[Moderator_02]

The New York Times has done a follow-up article about the Yahoo! break-in. This is an "interactive article", which was a first for me. The article lets you click a few buttons and then see an approximation of the number of times and categories of personal information that have been exposed to the bad guys.

http://nyti.ms/1Sfr7oe

[Moderator_02]

According to this CNN article, many people may have a Yahoo! account and not even know of such. Use of Yahoo Sports, Ficklr or Tumblr, etc., create Yahoo! accounts for their users.

Quote

You could have a Yahoo account without even knowing it

by Chris Isidore   @CNNTech September 23, 2016: 4:16 PM ET

 

Think you're not affected by the massive hack of 500 million Yahoo accounts? Think again.

Just because you don't have a Yahoo email account doesn't mean you're off the hook.

There are plenty of other types of accounts that put users at risk.

Play fantasy sports on Yahoo Sports?

Post pictures on Ficklr?

Blog on Tumblr?

Or maybe you just stopped using your Yahoo email years ago.

Related: Yahoo says 500 million accounts stolen

If so, you might be a hacking victim, according to a leading Internet security expert.

"There are lots of people, millions of people, who don't understand they have a Yahoo account," said Per Thorsheim, a global cybersecurity expert based in Norway.

The hack, disclosed by Yahoo on Thursday, was allegedly committed by a "state-sponsored actor" on behalf of a foreign government, according to the company. It said the breach occurred in 2014.

Much of the attention to the hack focused on current Yahoo email users. But Thorsheim said one of his big concerns is that many people don't realize they have other accounts that put their information -- including names, email addresses, telephone numbers and birthdays -- in jeopardy.

Yahoo (YHOO, Tech30) hasn't given out much information as to which accounts were hacked. And spokespeople didn't answer questions about whether specific services such as fantasy sports accounts were included in the hack.

Related: What to do if your Yahoo account was hacked

Thorsheim said the other issue is that there are probably millions of people who have forgotten about a Yahoo email account they used to have. What they don't realize is that it's still active and their information is still associated with it.

"The idea that 'I don't use that account any more, I don't have to worry about it.' - in most cases, unfortunately that's wrong," he said. "If you have an account that you don't use, you should delete it. But very few people do that. I'm guilty of not doing that myself."

http://money.cnn.com/2016/09/23/technology/yahoo-account-hack/index.html

[Keith Woolford]

The reported timing seems to coincide with the period when there were a lot of problems with Yahoo groups.

[Bud]

I got a follow-up email from a computer techie friend regarding the Yahoo! security breech that is the subject of this topic. That email brought to my attention a more recent issue with Dropbox, which is a cloud storage service that some CL members (like myself) may use. The original Dropbox breech occurred in 2012, involving 68 million Dropbox accounts.

Read further about the Dropbox incident:

Quote

Dropbox hack leads to leaking of 68m user passwords on the internet

Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leaked

 

The Dropbox data breach has highlighted the problem of password reuse.
Photograph: Alamy

Samuel Gibbs

Wednesday 31 August 2016 06.43 EDT Last modified on Thursday 1 September 2016 05.36 EDT

Popular cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords leaking on to the internet.

The attack took place during 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well.

The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.

The independent security researcher and operator of the Have I been pwned? data leak database, Troy Hunt, verified the data discovering both his account details and that of his wife.

Hunt said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”

Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.

Half the passwords were still encrypted with SHA1 at the time of the theft.

“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure you enable Dropbox’s two-step verification while you’re there if it’s not on already.”

The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.

Dropbox reset a number of users’ passwords at the time, but the company has not said precisely how many.

The hack highlights the need for tight security, both at the user end – the use of strong passwords, two-step authentication and no reuse of passwords – and for the companies storing user data. Even with solid encryption practices for securing users’ passwords, Dropbox fell foul of password reuse and entry into its company network.

Leading security experts recommend the use of a password manager to secure the scores of unique and complex passwords needed to properly secure the various login details needed for daily life. But recent attacks on companies including browser maker Opera, which stores and syncs user passwords, and password manager OneLogin, have exposed the dangers of using the tool.

Picking the right password manager is just as crucial and using one in the first place.

A Dropbox spokesperson said: “There is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users.”

https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach

Note that the Dropbox breech was reported by many news sources; this is just one of many, but no need to be redundant here.

---

I preface the remainder of this posting with a disclaimer that I am not under the employ of a Swiss-based company called Tresorit. What I am writing here may appear to be advertising; my goal simply is to provide information, and you get to decide what you do with that information, if anything. (As an aside, I have signed up for Tresorit service, and will be moving my cloud storage needs from Dropbox to Tresorit.)

I am led to believe by trusted sources that Tresorit is [possibly] the only commercially available cloud storage service provider that has not been cracked [yet]. Tresorit asserts that they have "invited" or "challenged" the cracker community to try to break into their secure cloud storage, but as of this writing such a breech has not been achieved.

I do not find Tresorit as user friendly as Dropbox, but I do get the impression that it is very secure. What makes it different from other services is that Tresorit encrypts everything before it leaves your computer, and the Tresorit systems have zero ability to decrypt anything because they have zero access to or knowledge of your encryption keys. That seems to be a two-edged sword -- total (!) data security, but absolutely catastrophic loss of your data should you forget your Tresorit passwords. You get to set your priorities.

I quote here from a recent email (dated 28 September 2016) from Tresorit, primarily because there are some interesting links that provide additional information (click on the embedded hotlinks) regarding data security:

Quote

Several large data breaches and password leaks have hit the news recently, including over 60 Million leaked Dropbox passwords. None of these breaches affected Tresorit, where your data is protected by end-to-end encryption.
 
As we put data security first, let us share some tips that can help protect your account from cyberattacks - in any online service.

• Strong passwords are hard to break. Click here to read what makes a strong password.
• Password managers help you remember complex passwords. Consider Keepass or Lastpass.
• 2-factor authentication protects your account even if your password is stolen. Many sites offer this, including Tresorit.
• Learn how to tell if an online service provider handles your password with care. Find out more >>

Did you know? For increased security Tresorit doesn’t know your password. Even in the unlikely event that Tresorit is hacked, your password would still be safe due to our zero-knowledge architecture.
 
Stay safe,
Tresorit Team

I close with a repeat of my disclaimer that I am not trying to sell anyone on Tresorit. This is for informational purposes, and the reader gets to decide what is best for them.

P.S., I use the LastPass application that is mentioned in Tresorit's above email as my password vault.

 

[Moderator_02]

 

 

 

[MarieElaine]

This all happened in 2013 and they are just finding it?  If anything was going to happen to you, it would have already happened I am sure.

[Bud]

MarieElaine, you are correct that this email received about 48 hours ago from Yahoo actually refers to a breach that occurred in 2013. Three years to report it. Ouch! The damage has long since been done.

I do know from other reports that Yahoo did report this breach earlier this year, but again long after the fact.

FYI, the email from Yahoo that is shown above was an email sent to me earlier this week for my backup Yahoo email account. I remain unimpressed with their "proactive" stance.

[Bonnie]

According to an article in this morning's NYT, Yahoo was unaware of the breach until it was discovered and brought to their attention by law enforcement authorities. See LINK

Edited December 16, 2016 by Admin_01
Repaired hotlink